June 7, 2019
The European Commission published new guidance on May 29th (available here) (the Guidance) clarifying the interplay between the General Data Protection Regulation (GDPR) (available here) and Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union (the Regulation) (available here).
The Guidance is of importance to entities of all sizes and in all locations that are subject to GDPR and the Regulation. The Guidance explains the relationship between GDPR and the Regulation, particularly within the context of “mixed datasets” containing both personal and non-personal data.
GDPR applies to personal data, which is broadly defined to mean any information relating to an identified or identifiable individual. The Regulation, on the other hand, seeks to encourage the free movement of non-personal data throughout the EU in order to promote interconnectivity and expand business opportunities. Non-personal data encompasses data that originally did not relate to an identified or identifiable individual, or data which was initially identifiable but was later made anonymous.
In reality, the majority of datasets used by businesses are mixed and contain both personal and non-personal data, thus implicating both GDPR and the Regulation. Examples of mixed data sets include a company’s tax records, containing identifiable information such as the name and telephone number of a managing director; a company’s database of IT problems and solutions, based on individual IT incident reports; and data related to the Internet of Things, where some data allows for assumptions to be made about identifiable individuals, such as their particular usage patterns.
According to the Guidance, it is not necessary to process personal and non-personal data separately; a business should comply with GDPR with regard to the personal data portion of the dataset and the Regulation with regard to the non-personal data portion. However, there may be situations in which the personal data and non-personal data will be “inextricably linked,” making it impossible to determine which data to process under GDPR versus the Regulation. “Inextricably linked” is not a defined term in either GDPR or the Regulation. The Guidance provides two broad examples of situations where a dataset would be considered “inextricably linked”—where it is impossible to separate the personal and non-personal data or where separating personal and non-personal data is either economically inefficient or not technically feasible. In these instances where the personal and non-personal data are “inextricably linked,” the Guidance requires application of GDPR to the entire mixed dataset, even if the personal data comprises only a small portion of the dataset.
The Guidance also highlights the importance of the free flow of data within the EU and outlines the prohibition of data localization requirements under both GDPR and the Regulation. Specifically, the Regulation prohibits the imposition of data localization requirements for non-personal data in the absence of proportional justification on the grounds of public security. Similarly, GDPR provides for the free movement of personal data within the EU, while allowing for the imposition of conditions and limitations on the processing of certain sensitive data, such as genetic or biometric data or health information.
Finally, the Guidance encourages the development of industry wide codes of conduct, particularly with respect to the portability of data. The Regulation does not place limits on contractual freedom; thus, business partners may agree how to implement the principles of the Regulation. The Guidance stresses the importance of developing general industry standards, which the Commission expects to be implemented through model contractual clauses.
The Take Away
The Guidance clarifies that there are no contradictory obligations under GDPR and the Regulation; both are intended to allow for and encourage the free movement of data within the EU. But that does not negate the obligations of a business to treat non-personal data as personal data subject to GDPR in certain instances. Non-personal data may still be subject to GDPR depending on how intertwined a business’ personal and non-personal data is in its databases. If the personal and non-personal data cannot be processed separately, the Guidance makes clear that the obligations under GDPR will apply to the entire dataset. Evaluations should be undertaken to determine if it is technically feasible to separate personal and non-personal data or whether it is feasible from a business standpoint to separate personal and non-personal data. If neither is feasible, non-personal data in mixed datasets should be treated as personal data governed by GDPR if that is not already the case. It will be particularly important in the future to carefully evaluate from a legal, economic and technical perspective when the separation and separate treatment of such data is allowable versus situations in which the entirety of a mixed dataset is subject to GDPR.